'Bank Transfer': What About Security?

Between Occupy Wall Street and the so-called Bank Transfer movement, consumer outrage with big banks is fueling new account growth at community banks and credit unions.

But how well prepared are the smaller institutions to handle increased security risks and fraud-prevention demands that come with such quick growth?

Cary Whaley of the Independent Community Bankers Association says regular face-to-face interaction with customers and members often makes security at smaller institutions something of a given. But institutions should not underestimate the vulnerabilities these new account openings can expose.

"If you don't have thorough procedures, there is a greater chance you are going to get a riskier customer," Whaley says. "You've got to be sure you're covering all the bases."

He also suggests institutions review the policies and options they have in place for new-customer account monitoring. "What transactional limits do you set per customer, and what happens when those limits are breached? With more accounts, these are things to consider," Whaley says.

Impact of Bank Transfer

How effective is the Bank Transfer movement? Some news reports suggest at least 650,000 Americans have switched to credit unions since Sept. 29. According to the National Association of Federal Credit Unions, 54 percent of credit unions have reported increases in share growth.

San Francisco-based Patelco Credit Union, a larger institution with approximately $3.75 billion in assets, says its new members and checking-account openings are up 70 percent for the months of September and October. Ryan Misasi, vice president of sales for Patelco, says daily averages more than doubled during the first five business days of November.

Bank Transfer Day called for consumers to move their money by Nov. 5. But Fred Becker, president of the NAFCU, says he expects account migration to continue through the end of the year.

"You hit a peak or crescendo with anything, but I think you will continue to see movement," he says. "We're not done yet with the big banks and what they may do next. They still have to make that money up, and how they will do that remains to be seen."

A poll of ICBA members conducted the week of Oct. 17 found that 60 percent of those community banks surveyed had picked up new customers as a result of frustrations associated with larger banks.

By October, a separate Facebook page had been dedicated to Bank Transfer Day. Though Bank Transfer supporters and Occupy Wall Street protestors say they are separate, they share common themes and support one another's efforts.

That united support now has banks' attention. Last week, BofA said it had changed plans and would not implement the $5 debit fee it announced in early fall. Other large financial institutions have made similar announcements [See No Debit Fees; What Next?].

The Security Question

From a security perspective, the same consumer protections provided by larger institutions must also be provided by smaller institutions. "The same security protocols would apply regardless," says Fred Becker, president of the NAFCU. "And we've heard nothing about difficulties on the parts of our credit unions being able to handle the growth."

Smaller geographical footprints, shared by community banks and credit unions, give smaller institutions security advantages, in some cases. "If the bank is small enough to where it has face-to-face contact with customers and employees are seeing the transactions and know you as a customer and know your behavior, that's a plus for security," ICBA's Whaley says. "One of the best cross-channel security sets out there is having the same set of eyes looking at transactions across numerous channels. So smaller banking institutions can bring some things to the table that larger institutions can't."

From a technology and security perspective, Becker says consumers will experience no changes. He also says credit unions are prepared to meet their growing member bases' technology and security demands.

"I don't think many institutions are going to be caught off-guard by the growth," he says. "They've been seeing this trend for a while. It was mostly a matter of making sure they had enough staffing; everything else, from online banking to services and other technology, they could handle."

Like Becker, Whaley says the same consumer security protections mandated for larger institutions are mandated for smaller institutions as well.

"There are built in consumer protections, like Reg E," he says. "And the FFIEC guidance ups the ante and pushes banks even more to consider more protections."

But Neal O'Farrell, founder of the Identity Theft Council, says consumers are worried about security, and they should be.

"Can a credit union really protect me?" O'Farrell asks. "Not just my money, but all my personal information, too? How good and quick are they at detecting a security breach and notifying me? How quickly can they resolve a security issue or fraud? And will my money be any safer there than at a large bank?"

O'Farrell acknowledges that credit unions and community banks often suffer from fewer cyberhacks and breaches. But as their transaction volume increases, so, too, will their vulnerabilities and security gaps, he surmises.

"Credit unions have long argued that history shows they suffer from fewer attacks than larger banks. Experts have argued that's only because of their small size," he says. "The hackers will follow the crowds, and I'm just not sure that smaller financial institutions are prepared for the risk exposure. Many are still struggling financially and have not been able to make the enormous and endless security investments the bigger banks have been making."

About the Author

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;